Cyber Coverage Gaps Assessment: Ukraine's Uncovered Sectors

Ukraine's intensive cyber defense capacity building since 2022 has dramatically improved security in the highest-priority sectors: large energy operators, central government ministries, major financial institutions, and national telecommunications providers. However, significant coverage gaps remain across categories of organizations that lack the resources, organizational capacity, or prioritization to implement comparable security measures. Identifying and systematically closing these gaps is an ongoing focus of national cyber defense planning and international assistance programs.

Rural Municipalities: The Governance Gap

Ukraine has 469 raion-level districts and more than 12,000 hromada (community-level) administrative units. These local governance bodies manage water utilities, local social services, civil registration, and emergency management within their territories. The cybersecurity capabilities of rural and small-town municipalities are dramatically inferior to central government and large urban authorities: IT staff, if they exist, are general-purpose system administrators without security specialization; budgets for security tools are minimal; security monitoring is essentially nonexistent; and incident response relies entirely on CERT-UA's capacity to respond remotely to reported incidents.

Russian cyber operations have exploited local government systems for access to personal data of Ukrainian citizens, local population movement data relevant to military intelligence, and as potential pivot points for lateral movement toward higher-value targets. Several documented incidents involved initial access through small municipal IT systems followed by attempted lateral movement toward regional administration networks with more sensitive data and system access.

Regional Medical Centers

Ukraine's secondary and tertiary healthcare facilities—regional hospitals and specialized medical centers outside major cities—operate electronic health record systems, diagnostic imaging networks, laboratory information systems, and administrative IT without dedicated cybersecurity staff. These facilities have been targeted in multiple incidents, both for the intelligence value of medical records on military personnel and civilian populations, and for the disruptive impact of healthcare system outages. Russia's targeting of medical infrastructure through kinetic means (documented war crimes) is mirrored by cyber operations against healthcare IT.

International partner programs including USAID and the EU have provided cybersecurity assistance specifically for healthcare sector operators, but coverage remains incomplete—particularly for rural and regional facilities that may be geographically dispersed and organizationally isolated from sector-level coordination programs. Healthcare sector CERT (CERT-Health) capabilities in Ukraine are less developed than energy sector equivalents.

Coverage Gap Categories

Donor Gap-Filling Programs

International donors have structured gap-filling programs around the coverage gaps identified through national assessments. USAID's $215 million+ cybersecurity assistance to Ukraine has specifically allocated funding for healthcare and municipal sector programs that would not receive funding under general critical infrastructure programs. The EU NIS2-aligned assistance through ENISA and bilateral country programs targets sectors required to comply with NIS2 under EU digital single market integration pathways that Ukraine has committed to pursue as part of EU accession alignment.

The challenge for donor programs addressing coverage gaps is organizational capacity: a rural municipality with one part-time IT generalist cannot absorb the same level of technical assistance as a major energy operator with a dedicated security team. Gap-filling for municipalities requires a different delivery model—shared services, regional security operations centers, managed security service provision—rather than direct organizational capacity building.

Regional Cyber Response Centers

Ukraine's regional cyber response center program addresses the distributed coverage gap by establishing security operations capacity at oblast (regional) level that can be shared across all local government and smaller organizations within the region. A regional cyber center provides security monitoring, incident response support, and security awareness services to the hundreds of small organizations in its area that cannot individually sustain these capabilities. This "hub and spoke" model for cybersecurity delivery is closely analogous to how regional fire departments provide emergency response coverage to communities too small to sustain their own full-time fire service.

Public-Private Partnership for Coverage Extension

Ukraine's technology sector companies—including major domestic IT service providers and international technology companies with Ukraine presence—have been engaged in public-private partnership arrangements to extend cybersecurity coverage to sectors and organizations beyond what government programs can reach. Microsoft's commitment to providing free cybersecurity services to Ukrainian government and critical infrastructure organizations has been the largest single example, but smaller domestic IT security companies have been organized through SSSCIP into a national cybersecurity assistance consortium that provides subsidized services to underserved organizations.

FAQ

Why are small municipalities particularly vulnerable to cyber attacks?

Small municipalities combine high data value (citizen records, population movement information, local infrastructure details) with minimal security infrastructure. They typically lack dedicated IT security staff, deploy systems without security configuration, don't maintain or monitor security logs, and have no incident response capability. For an adversary, small municipalities offer an easier initial compromise compared to hardened central government targets while potentially providing useful intelligence or pivot access.

What specific patient data are Russian actors seeking from Ukrainian hospitals?

Ukrainian medical facility data potentially includes records of military personnel receiving treatment, identifying information for wounded soldiers that could be cross-referenced with other intelligence, medication and medical supply consumption data that could indicate military personnel density in areas, and population health data useful for civil control in regions under occupation pressure. Additionally, disrupting hospital IT affects patient care, serving Russian psychological warfare objectives.

How does Ukraine prioritize gap-filling across all the uncovered sectors?

SSSCIP prioritizes gap-filling based on national risk assessment: sectors with the highest combination of threat targeting interest, potential operational impact, and current coverage weakness receive highest priority. Energy sub-sectors and healthcare have been higher priorities than educational institutions due to the direct impact of those services on operational defense and public welfare. Water utilities with SCADA exposure have also received targeted attention due to the public health implications of water system compromise.

Are Ukraine's regional cyber response centers funded by international donors or national budget?

Regional cyber response centers have mixed funding: initial establishment costs have been substantially supported by international donor programs (EU, USAID, bilateral programs), while ongoing operational costs are being transitioned toward national and regional government budget lines as part of sustainability planning. The transition from donor dependency to domestic budget funding is a key sustainability challenge for the center model.

What is the 2026 cybersecurity coverage target for Ukraine?

SSSCIP's publicly stated targets include SIEM monitoring coverage for all centrally managed government systems, basic security monitoring capability at all regional administrative hospitals, OT segmentation for all drinking water utilities above a minimum size threshold, and operational regional cyber response centers in all major oblasts. These targets represent significant progress from 2022 baselines but do not achieve universal coverage, recognizing resource constraints and the realistic pace of organizational capacity development.

Sources

1. SSSCIP Ukraine — "National Cybersecurity Coverage Assessment and Gap Remediation Plan," 2023
2. USAID — "Ukraine Cybersecurity Assistance Portfolio Overview," usaid.gov 2023-2024
3. EU Advisory Mission Ukraine (EUAM) — "Municipal Governance Cybersecurity Program," euam-ukraine.eu
4. CISA — "Critical Healthcare Sector Cybersecurity Advisory for Ukraine," 2023
5. Microsoft — "Digital Defense of Ukraine: Updated Quarterly Reports," microsoft.com 2022-2024